46 Commits
tp01 ... main

Author SHA1 Message Date
a1e253ba26 Fichiers configs nagios 2025-09-26 14:56:55 +02:00
fda826343a Ajout du script lvs.sh 2025-09-18 17:18:24 +02:00
b3bdaced27 Ajout du fichier haproxy.cfg 2025-09-18 17:08:19 +02:00
296613eb92 Modification README.md 2025-09-12 11:34:17 +02:00
0c3adc17df Ajout du fichier Vagrantfile 2025-09-12 11:30:21 +02:00
ef975eb469 Ajout des configs du firewall jusqu'à l'étape 6 2025-04-17 14:56:53 +02:00
8240fd27ab Ajoout des fichiers de sauvegarde des fichiers conf du firewall part2 et part3 2025-04-10 14:12:32 +02:00
c20b37ce75 Modif squid.conf plages d'ip interdites v2 2025-04-07 09:38:00 +02:00
482d4a0955 Modif squid.conf plages d'ip interdites 2025-04-07 09:33:34 +02:00
e6c5fd4ea3 Modification squid.conf pour url et banWords 2025-04-07 09:20:11 +02:00
9b18199931 Modification squid.conf pour url et banWords 2025-04-07 09:17:41 +02:00
4cc62c717a New test 2025-03-26 17:10:44 +01:00
743093b28f Test 2025-03-26 17:06:23 +01:00
ea525ffbd8 Modification de squid.conf pour ban mots et sites 2025-03-26 17:01:45 +01:00
5d3ce6cef2 Modification du fichier config squid.conf 2025-03-26 16:23:13 +01:00
b97787821b Ajout du script gitpush.sh au rép de tp05 2025-03-26 15:53:30 +01:00
f7d4724b02 Ajout du service dnsfwd.service 2025-03-26 15:44:07 +01:00
ce37dc2ec9 Ajout du fichier config DNS forwarding et de squid.conf 2025-03-26 15:41:12 +01:00
63f08bf8a6 test EOF2 2025-03-24 09:34:18 +01:00
22d1a1770a test EOF 2025-03-24 09:31:54 +01:00
f9ee969d21 test avec ; 2025-03-24 09:27:20 +01:00
d025522b94 Ajout de deployUsers.shv3 2025-03-24 09:22:59 +01:00
dedb21e2ac Mise à jour fichier deployUsersv3.sh 2025-03-24 09:18:07 +01:00
18910e6b1a Mise à jour fichier deployUsersv2.sh 2025-03-24 09:10:10 +01:00
8271f3984b Mise à jour fichier deployUsers.sh 2025-03-24 09:02:55 +01:00
31b3da2bb3 Script 2025-03-20 14:58:01 +01:00
97c1eaba8b Ajout de createUsers.sh 2025-02-20 14:49:06 +01:00
a1aba478f6 Ajout du fichier createLogins.sh vFinale 2025-02-20 14:04:03 +01:00
f1f82bf99e Test de createGroups.sh v3 2025-02-19 16:59:14 +01:00
3bd2dc688a Test de createGroups.sh v2 2025-02-19 16:53:25 +01:00
8644984689 Test de createGroups.sh v1 2025-02-19 16:48:02 +01:00
4405ebaf55 Test de la première version du script createGroups.sh 2025-02-17 11:49:11 +01:00
9b0bb82dc5 Actualiser sisr1/tp03-reseau-prive/srv-dns2/dns/README.md 2025-02-17 09:46:58 +01:00
cd47cd0824 Actualiser sisr1/tp03-reseau-prive/srv-dns2/dns/README.md 2025-02-17 09:46:36 +01:00
084bc3e3da Ajouter sisr1/tp03-reseau-prive/srv-dns2/dns/README.md 2025-02-17 09:41:51 +01:00
d31f8f5eed Ajout des fichiers configs dns et de la carte réseau de serveur dns2 2025-02-17 09:40:24 +01:00
b48e82f549 Ajout des fichiers configs dhcp et dns avec la carte réseau 2025-02-17 09:31:55 +01:00
6e4a091d0a Ajout de la carte réseau et du dossier nat du serveur admin 2025-02-17 09:16:24 +01:00
848f52aa01 suppression fichiers racine 2025-02-03 11:08:53 +01:00
499c304a2a Ajout desfichiers configs de dns2 2025-02-03 11:03:47 +01:00
f685f5dc16 Ajout des fichiers restants de configs de dns1 avec celui du dhcp 2025-02-03 10:54:32 +01:00
64f0cc1d1d Ajout des db.sio-yl.lan et idem.rev 2025-02-03 10:49:14 +01:00
09727c69b5 Fichiers config bind & dns Charlie 2025-01-30 13:21:54 +01:00
26970ceec3 Suppression erreur dans README siotp 2025-01-27 08:54:53 +01:00
569a7c1cb7 Ajout de la page d'adresse personnelle dans le README.md de sisr1 2025-01-27 08:52:51 +01:00
93c97e6bb0 Ajout de la page d'adresse personnelle dans le README.md de sisr1 2025-01-27 08:49:20 +01:00
65 changed files with 13253 additions and 3 deletions

View File

@@ -2,4 +2,5 @@
Dépôt de suivi des fichiers de configuration réalisés au cours du BTS SIO
**sisr1** : enseignement SISR, première
**sisr1** : enseignement SISR, première année
**sisr2** : enseignement SISR, deuxième année

View File

@@ -10,3 +10,6 @@ Travaux pratiques de première année : option SISR
* configuration de serveurs DNS primaires et secondaires
* configuration du service DHCP pour utiliser ces DNS
* automatisation du lancement du script NAT
# Plage d'adresse personnelle :
** 192.168.0.120 à 192.168.0.139 **

View File

@@ -0,0 +1,21 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA dns1-yl.sio-yl.lan. root.dns1.sio-yl.lan. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS dns1-yl.sio-yl.lan.
dns1-yl.sio-yl.lan. A 192.168.0.121
@ IN NS localhost.
;@ IN A 127.0.0.1
deb-dhcp-yl IN A 192.168.0.120
dhcp CNAME deb-dhcp-yl.sio-yl.lan.
dns CNAME dns1-yl.sio-yl.lan.
dns2-yl IN A 192.168.0.122
;@ IN AAAA ::1

View File

@@ -0,0 +1,17 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA dns1-yl.sio-yl.lan. root.dns1-yl.sio-yl.lan. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS dns1-yl.sio.lan.
120 IN PTR deb-dhcp-yl.sio-yl.lan.
121 IN PTR dns1-yl.sio-yl.lan.
122 IN PTR dns2-yl.sio-yl.lan.

View File

@@ -0,0 +1,109 @@
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 3600;
max-lease-time 604800;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.5 192.168.2.104;
option routers 192.168.2.1;
option domain-name-servers 192.168.0.121;
option domain-name "dns1-yl.sio-yl.lan";
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host wxp {
hardware ethernet 08:00:27:77:70:0d;
fixed-address 192.168.2.105;
}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

View File

@@ -0,0 +1 @@
deb-dhcp-yl

View File

@@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 deb-dhcp-yl.sio.lan deb-dhcp-yl
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

View File

@@ -0,0 +1,24 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
10.121.38.7; // Forwarder 1
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
listen-on-v6 { any; };
};

View File

@@ -0,0 +1,17 @@
$ORIGIN .
$TTL 604800 ; 1 week
sio-yl.lan IN SOA dns1-yl.sio-yl.lan. root.dns1.sio-yl.lan. (
2 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS dns1-yl.sio-yl.lan.
NS localhost.
$ORIGIN sio-yl.lan.
deb-dhcp-yl A 192.168.0.120
dhcp CNAME deb-dhcp-yl
dns CNAME dns1-yl
dns1-yl A 192.168.0.121
dns2-yl A 192.168.0.122

View File

@@ -0,0 +1,14 @@
$ORIGIN .
$TTL 604800 ; 1 week
0.168.192.in-addr.arpa IN SOA dns1-yl.sio-yl.lan. root.dns1-yl.sio-yl.lan. (
2 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS dns1-yl.sio.lan.
$ORIGIN 0.168.192.in-addr.arpa.
120 PTR deb-dhcp-yl.sio-yl.lan.
121 PTR dns1-yl.sio-yl.lan.
122 PTR dns2-yl.sio-yl.lan.

View File

@@ -0,0 +1,11 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

View File

@@ -0,0 +1,24 @@
//
// Do any local configuration here
// zone directe
zone "sio-yl.lan" {
type slave;
file "/etc/bind/db.sio-yl.lan";
masters { 192.168.0.121; };
masterfile-format text;
};
// zone inverse
zone "0.168.192.in-addr.arpa" {
type slave;
notify no;
file "/etc/bind/db.sio-yl.lan.rev";
masters { 192.168.0.121; };
masterfile-format text;
};
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

View File

@@ -0,0 +1,24 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
10.121.38.7; // Forwarder 1
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
listen-on-v6 { any; };
};

View File

@@ -0,0 +1,101 @@
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
profile named /usr/sbin/named flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** rw,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/*.cnf r,
/etc/ssl/*.conf r,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# named need to check if hugepages is available
/sys/kernel/mm/transparent_hugepage/enabled r,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# dyndb backends
/usr/lib/bind/*.so rm,
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
owner /var/tmp/krb5_* rwk,
# systemd sd_notify
/run/systemd/notify w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}

View File

@@ -4,3 +4,5 @@
* **nat.service** : service lançant le script au démarrage
* A placer à /etc/systemd/system/nat.service
* Activer le service : <code>systemctl enable nat.service</code>

View File

@@ -0,0 +1,22 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#allow-hotplug enp0s3
#iface enp0s3 inet dhcp
auto enp0s3
iface enp0s3 inet static
address 192.168.0.120/24
gateway 192.168.0.1
# The secondary network interface
auto enp0s8
iface enp0s8 inet dhcp
#iface enp0s8 inet static
# address 172.16.0.1/24

View File

@@ -0,0 +1,8 @@
* **nat.sh** : script activant la NAT dynamique sans filtrage
* A placer à /root/nat.sh
* Rendre exécutable : <code>chmod +x /root/nat.sh</code>
* **nat.service** : service lançant le script au démarrage
* A placer à /etc/systemd/system/nat.service
* Activer le service : <code>systemctl enable nat.service</code>

View File

@@ -0,0 +1,13 @@
[Unit]
Description=execute /root/nat.sh
After=default.target
[Service]
ExecStart=bash /root/nat.sh
[Install]
WantedBy=default.target

View File

@@ -0,0 +1,6 @@
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
nft add table basic_nat_table
nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0 \; }
nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0 \; }
nft add rule basic_nat_table postrouting masquerade

View File

@@ -0,0 +1,17 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet dhcp
#auto enp0s3
#iface enp0s3 inet static
# address 172.16.0.200/24
# gateway 172.16.0.1

View File

@@ -0,0 +1,2 @@
- Exportation du fichier named.conf.local uniquement car ce dernier va récuperer la configuration de **srv-service** (serveur DNS primaire).
- **named.conf.local** : configuration de ce dernier en mettant le serveur DNS en slave (DNS secondaire)

View File

@@ -0,0 +1,25 @@
//
// Do any local configuration here
// zone directe
zone "monlabo.lan" {
type slave;
file "/etc/bind/db.monlabo.lan";
masters {172.16.0.2; };
masterfile-format text;
};
//
// zone inverse
zone "0.16.172.in-addr.arpa" {
type slave;
notify no;
file "/etc/bind/db.monlabo.lan.rev";
masters {172.16.0.2; };
masterfile-format text;
};
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

View File

@@ -0,0 +1,17 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp0s3
#iface enp0s3 inet dhcp
auto enp0s3
iface enp0s3 inet static
address 172.16.0.2/24
gateway 172.16.0.1

View File

@@ -0,0 +1,115 @@
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
subnet 172.16.0.0 netmask 255.255.255.0 {
range 172.16.0.50 172.16.0.149;
#option broadcast-address 10.254.239.31;
option routers 172.16.0.1;
option domain-name-servers 172.16.0.2, 172.16.0.3;
option domain-name "monlabo.lan";
}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host srv-admin-yl {
hardware ethernet 08:00:27:b8:da:8b;
fixed-address 172.16.0.1;
}
host srv-dns2 {
hardware ethernet 08:00:27:95:ad:90;
fixed-address 172.16.0.3;
}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s3"
INTERFACESv6=""

View File

@@ -0,0 +1,28 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA srv-service.monlabo.lan. root.monlabo.lan. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS srv-service.monlabo.lan.
NS srv-dns2.monlabo.lan.
srv-service.monlabo.lan. A 172.16.0.2
srv-dns2.monlabo.lan. A 172.16.0.3
srv-admin-yl.monlabo.lan. A 172.16.0.1
srvdhcp IN CNAME srv-service.monlabo.lan.
dhcp IN CNAME srv-service.monlabo.lan.
srvdns IN CNAME srv-service.monlabo.lan.
srvdns1 IN CNAME srv-service.monlabo.lan.
srvdns2 IN CNAME srv-dns2.monlabo.lan.
dns1 IN CNAME srv-service.monlabo.lan.
dns IN CNAME srv-service.monlabo.lan.
dns2 IN CNAME srv-dns2.monlabo.lan.
srvadmin IN CNAME srv-admin-yl.monlabo.lan.
router IN CNAME srv-admin-yl.monlabo.lan.
gateway IN CNAME srv-admin-yl.monlabo.lan.

View File

@@ -0,0 +1,30 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA srv-service.monlabo.lan. root.srv-service.monlabo.lan. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS srv-service.monlabo.lan.
NS srv-dns2.monlabo.lan.
3 IN PTR srv-dns2.monlabo.lan.
1 IN PTR srv-admin-yl.monlabo.lan.
2 IN PTR srv-service.monlabo.lan.
srvdhcp IN CNAME srv-service.monlabo.lan.
dhcp IN CNAME srv-service.monlabo.lan.
srvdns IN CNAME srv-service.monlabo.lan.
srvdns1 IN CNAME srv-service.monlabo.lan.
srvdns2 IN CNAME srv-dns2.monlabo.lan.
dns1 IN CNAME srv-service.monlabo.lan.
dns IN CNAME srv-service.monlabo.lan.
dns2 IN CNAME srv-dns2.monlabo.lan.
srvadmin IN CNAME srv-admin-yl.monlabo.lan.
router IN CNAME srv-admin-yl.monlabo.lan.
gateway IN CNAME srv-admin-yl.monlabo.lan.

View File

@@ -0,0 +1,20 @@
//
// Do any local configuration here
// zone directe
zone "monlabo.lan" {
type master;
file "/etc/bind/db.monlabo.lan";
};
// zone inverse
zone "0.16.172.in-addr.arpa" {
type master;
notify no;
file "etc/bind/db.monlabo.lan.rev";
};
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

View File

@@ -0,0 +1,24 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
10.121.38.7; //DNS lycée
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
listen-on-v6 { any; };
};

View File

@@ -0,0 +1,30 @@
Ermengarde,Berthelmot,eberthelmot0@webmd.com,Female,Accountant,
Kassi,Bunker,kbunker1@xinhuanet.com,Female,Production,
Moises,McCallum,mmccallum2@i2i.jp,Male,Production,
Patrizio,Lune,plune3@upenn.edu,Male,Accountant,
Blanch,Everix,beverix4@php.net,Female,Accountant,
Stafani,Kibbel,skibbel5@marriott.com,Female,Production,
Ignacius,Mosdell,imosdell6@cloudflare.com,Male,Management,
Jeana,Waller-Bridge,jwallerbridge7@mapy.cz,Female,Management,
Elroy,Dressel,edressel8@opera.com,Male,Production,
Thea,Strettell,tstrettell9@nature.com,Female,Production,
Solomon,Insoll,sinsolla@utexas.edu,Male,Accountant,
Carri,Feedome,cfeedomeb@ask.com,Female,Accountant,
Padraic,Chetwind,pchetwindc@last.fm,Male,Management,
Solly,D'Ugo,sdugod@uiuc.edu,Male,Production,
Konstanze,MacCostigan,kmaccostigane@seattletimes.com,Female,Accountant,
Roxane,Powlesland,rpowleslandf@pcworld.com,Female,Management,
Orelle,Kennealy,okennealyg@arstechnica.com,Female,Production,
Sukey,Soitoux,ssoitouxh@shinystat.com,Female,Production,
Nelli,Syce,nsycei@blogger.com,Female,Production,
Clarisse,Shillam,cshillamj@dailymotion.com,Female,Production,
Carin,Gueny,cguenyk@naver.com,Female,Management,
Donny,Riepel,driepell@addtoany.com,Male,Production,
Daniella,Ralfe,dralfem@wunderground.com,Female,Production,
Lexy,Clynmans,lclynmansn@furl.net,Female,Production,
Gardiner,Adamthwaite,gadamthwaiteo@spotify.com,Male,Production,
Woodman,Lippett,wlippettp@purevolume.com,Male,Production,
Nadya,Munnion,nmunnionq@flavors.me,Female,Production,
Llewellyn,Habershon,lhabershonr@alibaba.com,Male,Production,
Isaak,Greatrex,igreatrexs@seesaa.net,Male,Production,
Darill,Frostdyke,dfrostdyket@cafepress.com,Male,Production,
1 Ermengarde Berthelmot eberthelmot0@webmd.com Female Accountant
2 Kassi Bunker kbunker1@xinhuanet.com Female Production
3 Moises McCallum mmccallum2@i2i.jp Male Production
4 Patrizio Lune plune3@upenn.edu Male Accountant
5 Blanch Everix beverix4@php.net Female Accountant
6 Stafani Kibbel skibbel5@marriott.com Female Production
7 Ignacius Mosdell imosdell6@cloudflare.com Male Management
8 Jeana Waller-Bridge jwallerbridge7@mapy.cz Female Management
9 Elroy Dressel edressel8@opera.com Male Production
10 Thea Strettell tstrettell9@nature.com Female Production
11 Solomon Insoll sinsolla@utexas.edu Male Accountant
12 Carri Feedome cfeedomeb@ask.com Female Accountant
13 Padraic Chetwind pchetwindc@last.fm Male Management
14 Solly D'Ugo sdugod@uiuc.edu Male Production
15 Konstanze MacCostigan kmaccostigane@seattletimes.com Female Accountant
16 Roxane Powlesland rpowleslandf@pcworld.com Female Management
17 Orelle Kennealy okennealyg@arstechnica.com Female Production
18 Sukey Soitoux ssoitouxh@shinystat.com Female Production
19 Nelli Syce nsycei@blogger.com Female Production
20 Clarisse Shillam cshillamj@dailymotion.com Female Production
21 Carin Gueny cguenyk@naver.com Female Management
22 Donny Riepel driepell@addtoany.com Male Production
23 Daniella Ralfe dralfem@wunderground.com Female Production
24 Lexy Clynmans lclynmansn@furl.net Female Production
25 Gardiner Adamthwaite gadamthwaiteo@spotify.com Male Production
26 Woodman Lippett wlippettp@purevolume.com Male Production
27 Nadya Munnion nmunnionq@flavors.me Female Production
28 Llewellyn Habershon lhabershonr@alibaba.com Male Production
29 Isaak Greatrex igreatrexs@seesaa.net Male Production
30 Darill Frostdyke dfrostdyket@cafepress.com Male Production

View File

@@ -0,0 +1,32 @@
#!/bin/bash
file='./Users.csv'
group=""
while read ligne # Utilisation d'une boucle while car plus paratique pour lire un fichier
do
metier=$(echo $ligne | cut -d "," -f5 ) # A chaque itération, stocke le métier dans $metier
# Vérification de la présence du groupe accountant -> ajout de la fonction "accountant" à $groups
if [[ $(echo $ligne | grep $metier) != "" ]] ; then
groupadd $metier
fi
done < $file # Permet d'inclure le fichier à la boucle
# Vérification des groupes crées
tail /etc/group
#
# if [[$group != $metier]]
# then
# groupadd $metier
# else
# echo "Le groupe existe déjà"

View File

@@ -0,0 +1,31 @@
#!/bin/bash
file='./Users.csv'
loginFile='./logins.csv'
rm $loginFile 2> /dev/null # Redirection des erreurs
touch $loginFile
while read line # Utilisation d'une boucle while car plus paratique pour lire un fichier
do
# A chaque itération, writeFile va se réinitialiser
writeFile=""
# A chaque itération récupère dans des variables le nom, prénom et le groupe
fName=$(echo $line | cut -d "," -f1 )
lName=$(echo $line | cut -d "," -f2 )
group=$(echo $line | cut -d "," -f5 )
login=$(echo $fName | cut -c1)$lName
login=$(echo $login | tr [:upper:] [:lower:])
login=$(echo $login | tr -dc [:alnum:])
# A chaque itération stocke le mot de passer pour chaque utilisateur dans password
password=$(tr -dc A-Za-z0-9 </dev/urandom | head -c8; echo)
# A chaque itération, ajout des infos ci-dessous dans loginFile
writeFile="$login;$password;$fName;$lName;$group"
echo $writeFile >> $loginFile
done < $file

View File

@@ -0,0 +1,18 @@
#!/bin/bash
file="./logins.csv"
while read line
do
username=$(echo $line | cut -d ";" -f1)
# L'option -m crée le répertoire perso dans /home et -s indique le shell
useradd -m -s "/bin/bash" $username
group=$(echo $line | cut -d ";" -f5)
usermod -aG $group $username
password=$(echo $line | cut -d ";" -f2)
# Permet de changer le mot de passe
echo $username:$password | chpasswd
# Attribution des droits sur le répertoire personnel *
chown $username:$username /home/$username
done < $file

View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Ip passée en paramètre
ip=$1
user=root
workdir=/$user/deploy
ssh $user@$ip "mkdir -p $workdir" 2> /dev/null
scp "./createGroups.sh" "./logins.csv" "Users.csv" "createUsers.sh" $user@$ip:$workdir
ssh $user@$ip << EOF
cd $workdir
bash createGroups.sh
bash createUsers.sh
rm -R $workdir
EOF
# ssh $user@$ip "cd $workdir ; bash $workdir/createGroups.sh ; bash $workdir/createUsers.sh ; rm -R $workdir"

View File

@@ -0,0 +1,18 @@
#!/bin/bash
# Permet de vérifier si un message a été passé en argument
if [ -z "$1" ]; then
read -p "Erreur : Entrez un message : " $message
else
message=$1
fi
# Ajout des fichiers modifiés
git add .
# Commit avec le message
git commit -m "$message"
# Push vers le dépôt Gitea
git push -u https://yann.lereuille@gitea.lyc-lecastel.fr/yann.lereuille/siotp.git

View File

@@ -0,0 +1,30 @@
eberthelmot;EV14Ml0y;Ermengarde;Berthelmot;Accountant
kbunker;UH2lMt0J;Kassi;Bunker;Production
mmccallum;inL1wFGX;Moises;McCallum;Production
plune;CdeumP6l;Patrizio;Lune;Accountant
beverix;XkA92SNB;Blanch;Everix;Accountant
skibbel;DLPakOJc;Stafani;Kibbel;Production
imosdell;9zvwKjFJ;Ignacius;Mosdell;Management
jwallerbridge;Urz5FoAt;Jeana;Waller-Bridge;Management
edressel;cw2Nkpp4;Elroy;Dressel;Production
tstrettell;bfFjZ7oz;Thea;Strettell;Production
sinsoll;xn0Cu8zg;Solomon;Insoll;Accountant
cfeedome;Otm8KrwT;Carri;Feedome;Accountant
pchetwind;HM2D6QUl;Padraic;Chetwind;Management
sdugo;Mk8FhHgQ;Solly;D'Ugo;Production
kmaccostigan;4pyLSjtz;Konstanze;MacCostigan;Accountant
rpowlesland;6TqevQaP;Roxane;Powlesland;Management
okennealy;GGcTSPT2;Orelle;Kennealy;Production
ssoitoux;bLwFZDvY;Sukey;Soitoux;Production
nsyce;c3uHw3eB;Nelli;Syce;Production
cshillam;Pa3pzjrW;Clarisse;Shillam;Production
cgueny;32wmqRXb;Carin;Gueny;Management
driepel;bu7RmJUU;Donny;Riepel;Production
dralfe;UeEW6VTC;Daniella;Ralfe;Production
lclynmans;YpTIYcR3;Lexy;Clynmans;Production
gadamthwaite;etWk91hZ;Gardiner;Adamthwaite;Production
wlippett;Fyr0beDB;Woodman;Lippett;Production
nmunnion;Lr1cekvC;Nadya;Munnion;Production
lhabershon;VziwMTYz;Llewellyn;Habershon;Production
igreatrex;FahUQNQz;Isaak;Greatrex;Production
dfrostdyke;DcnA65DS;Darill;Frostdyke;Production
1 eberthelmot EV14Ml0y Ermengarde Berthelmot Accountant
2 kbunker UH2lMt0J Kassi Bunker Production
3 mmccallum inL1wFGX Moises McCallum Production
4 plune CdeumP6l Patrizio Lune Accountant
5 beverix XkA92SNB Blanch Everix Accountant
6 skibbel DLPakOJc Stafani Kibbel Production
7 imosdell 9zvwKjFJ Ignacius Mosdell Management
8 jwallerbridge Urz5FoAt Jeana Waller-Bridge Management
9 edressel cw2Nkpp4 Elroy Dressel Production
10 tstrettell bfFjZ7oz Thea Strettell Production
11 sinsoll xn0Cu8zg Solomon Insoll Accountant
12 cfeedome Otm8KrwT Carri Feedome Accountant
13 pchetwind HM2D6QUl Padraic Chetwind Management
14 sdugo Mk8FhHgQ Solly D'Ugo Production
15 kmaccostigan 4pyLSjtz Konstanze MacCostigan Accountant
16 rpowlesland 6TqevQaP Roxane Powlesland Management
17 okennealy GGcTSPT2 Orelle Kennealy Production
18 ssoitoux bLwFZDvY Sukey Soitoux Production
19 nsyce c3uHw3eB Nelli Syce Production
20 cshillam Pa3pzjrW Clarisse Shillam Production
21 cgueny 32wmqRXb Carin Gueny Management
22 driepel bu7RmJUU Donny Riepel Production
23 dralfe UeEW6VTC Daniella Ralfe Production
24 lclynmans YpTIYcR3 Lexy Clynmans Production
25 gadamthwaite etWk91hZ Gardiner Adamthwaite Production
26 wlippett Fyr0beDB Woodman Lippett Production
27 nmunnion Lr1cekvC Nadya Munnion Production
28 lhabershon VziwMTYz Llewellyn Habershon Production
29 igreatrex FahUQNQz Isaak Greatrex Production
30 dfrostdyke DcnA65DS Darill Frostdyke Production

View File

@@ -0,0 +1,13 @@
[Unit]
Description=execute /root/dnsfwd.sh
After=default.target
[Service]
ExecStart=bash /root/dnsfwd.sh
[Install]
WantedBy=default.target

View File

@@ -0,0 +1,11 @@
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
nft add table dnsfwd
nft add chain dnsfwd prerouting {type nat hook prerouting priority 0 \; }
nft add chain dnsfwd postrouting {type nat hook postrouting priority 0 \; }
nft add rule dnsfwd postrouting tcp dport 53 masquerade
nft add rule dnsfwd postrouting udp dport 53 masquerade
nft add rule dnsfwd prerouting tcp dport 53 masquerade
nft add rule dnsfwd prerouting udp dport 53 masquerade
nft add rule dnsfwd prerouting ct state established,related accept
nft add rule dnsfwd postrouting ct state established,related accept

View File

@@ -0,0 +1,18 @@
#!/bin/bash
# Permet de vérifier si un message a été passé en argument
if [ -z "$1" ]; then
read -p "Erreur : Entrez un message : " $message
else
message=$1
fi
# Ajout des fichiers modifiés
git add .
# Commit avec le message
git commit -m "$message"
# Push vers le dépôt Gitea
git push -u https://yann.lereuille@gitea.lyc-lecastel.fr/yann.lereuille/siotp.git

View File

@@ -0,0 +1,13 @@
#!/bin/bash
#Script destiné à être paramétré et exécuté depuis un répertoire de votre dépôt Git contenant un fichier de configuration d'un service
filename=squid.conf #Nom du fichier de config
filepath=/etc/squid #Emplacement système du fichier de config
servicename=squid.service #Nom du service
git pull #mise à jour du fichier de config du dépôt
sudo cp $filepath/$filename $filepath/$filename.old #sauvegarde fichier précédent
sudo cp ./$filename $filepath/$filename #copie du fichier de config mis à jour à son emplacement
sudo systemctl restart $servicename #redémarrage du service associé

9166
sisr1/tp05-proxy/squid.conf Normal file

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,115 @@
define netif = enp0s3
define lanif = enp0s8
define dmzif = enp0s9
define netip = 192.168.0.130
define lanip = 172.16.0.254
define dmzip = 172.17.0.254
define lan-ntw = 172.16.0.1-172.16.0.254
define dmz-ntw = 172.17.0.1-172.17.0.254
define internal-dns-ip = 172.16.0.2
define dns-forwarder-ip = 10.121.38.7
table ip ipfilter{
#Chaines de filtrage
chain prerouting {
type filter hook prerouting priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp dport 22 accept
#Requêtes HTTP/HTTPS depuis LAN
tcp dport {80,443} iif $lanif accept
#Requêtes externe du serveur DNS
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
#Pings
icmp type echo-request iif $lanif accept
icmp type echo-reply iif {$lanif, $dmzif} accept
#Requêtes DNS depuis DMZ
ip saddr $dmz-ntw ip daddr $internal-dns-ip accept
}
chain system_in {
type filter hook input priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp dport 22 accept
#Pings
icmp type echo-request iif $lanif accept
icmp type echo-reply accept
#Requêtes DNS depuis DMZ
udp dport 53 accept
tcp dport 53 accept
}
chain routing {
type filter hook forward priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#Requêtes HTTP/HTTPS depuis LAN
tcp dport {80,443} iif $lanif accept
#Requêtes externe du serveur DNS
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
#Pings
icmp type echo-request iif $lanif oif $dmzif accept
icmp type echo-reply iif $dmzif oif $lanif accept
#Requêtes DNS depuis DMZ
ip saddr $dmz-ntw ip daddr $internal-dns-ip accept
}
chain system_out {
type filter hook output priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp sport 22 accept
#Proxy lycée
tcp dport 8080 accept
#DNS
udp dport 53 accept
#HTTP/HTTPS
tcp dport {80,443} accept
#FTP
tcp dport {20,21} accept
#Pings
icmp type echo-request accept
icmp type echo-reply oif $lanif accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp sport 22 accept
#Proxy lycée
tcp dport 8080 accept
#DNS
udp dport 53 accept
#HTTP/HTTPS
tcp dport {80,443} accept
#FTP
tcp dport {20,21} accept
#Requêtes externe du serveur DNS
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
#Pings
icmp type echo-request oif {$lanif, $dmzif} accept
icmp type echo-reply oif $lanif accept
#Requêtes DNS depuis DMZ
ip saddr $dmz-ntw ip daddr $internal-dns-ip accept
}
#Chaines pour la NAT
chain nat_prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain nat_postrouting {
type nat hook postrouting priority filter; policy accept;
#Masquage des IP de la LAN sortant sur Internet
ip saddr $lan-ntw oif $netif snat $netip
}
}

View File

@@ -0,0 +1,15 @@
table ip ipfilter {
chain routing {
type filter hook forward priority filter; policy accept;
icmp type echo-request iif { "enp0s3", "enp0s9" } drop
icmp type echo-request iif { "enp0s3", "enp0s9" } drop
icmp type echo-request iif { "enp0s3", "enp0s9" } drop
icmp type { echo-reply, echo-request } accept
drop
}
chain system_in {
type filter hook forward priority filter; policy accept;
icmp type echo-request iif { "enp0s3", "enp0s9" } drop
}
}

View File

@@ -0,0 +1,26 @@
define netif = enp0s3
define dmzif = enp0s8
define lanif = enp0s9
table ip ipfilter{
chain prerouting {
type filter hook prerouting priority filter; policy drop;
tcp dport 22 accept
}
chain system_in {
type filter hook input priority filter; policy drop;
tcp dport 22 accept
}
chain routing {
type filter hook forward priority filter; policy drop;
}
chain system_out {
type filter hook output priority filter; policy drop;
tcp sport 22 accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
tcp sport 22 accept
}
}

View File

@@ -0,0 +1,42 @@
define netif = enp0s3
define lanif = enp0s8
define dmzif = enp0s9
define netip = 192.168.0.130
define lanip = 172.16.0.254
define dmzip = 172.17.0.254
define lan-ntw = 172.16.0.1-172.16.0.254
define dmz-ntw = 172.17.0.1-172.17.0.254
table ip ipfilter{
chain prerouting {
type filter hook prerouting priority filter; policy drop;
tcp dport 22 accept
icmp type echo-request iif $lanif accept
icmp type echo-reply iif {$lanif, $dmzif} accept
}
chain system_in {
type filter hook input priority filter; policy drop;
tcp dport 22 accept
icmp type echo-request iif $lanif accept
icmp type echo-reply accept
}
chain routing {
type filter hook forward priority filter; policy drop;
icmp type echo-request iif $lanif oif $dmzif accept
icmp type echo-reply iif $dmzif oif $lanif accept
}
chain system_out {
type filter hook output priority filter; policy drop;
tcp sport 22 accept
icmp type echo-request accept
icmp type echo-reply oif $lanif accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
tcp sport 22 accept
icmp type echo-request oif {$lanif, $dmzif} accept
icmp type echo-reply oif $lanif accept
}
}

View File

@@ -0,0 +1,54 @@
define netif = enp0s3
define lanif = enp0s8
define dmzif = enp0s9
define netip = 192.168.0.130
define lanip = 172.16.0.254
define dmzip = 172.17.0.254
define lan-ntw = 172.16.0.1-172.16.0.254
define dmz-ntw = 172.17.0.1-172.17.0.254
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
ct state established,related accept
tcp dport 22 accept
icmp type echo-request iif $lanif accept
icmp type echo-reply iif {$lanif, $dmzif} accept
}
chain system_in {
type filter hook input priority filter; policy drop;
ct state established,related accept
tcp dport 22 accept
icmp type echo-request iif $lanif accept
icmp type echo-reply accept
udp sport 53 accept # Ajout pour les réponses DNS
}
chain routing {
type filter hook forward priority filter; policy drop;
icmp type echo-request iif $lanif oif $dmzif accept
icmp type echo-reply iif $dmzif oif $lanif accept
udp sport 53 accept # Ajout pour les réponses DNS
}
chain system_out {
type filter hook output priority filter; policy drop;
tcp sport 22 accept
udp dport 53 accept
tcp dport {80, 443} accept
tcp dport {20, 21} accept
tcp dport 8080 accept
icmp type echo-request accept
icmp type echo-reply oif $lanif accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
tcp sport 22 accept
udp dport 53 accept
tcp sport {80, 443} accept
tcp sport {20, 21} accept
tcp dport 8080 accept
icmp type echo-request oif {$lanif, $dmzif} accept
icmp type echo-reply oif $lanif accept
}
}

View File

@@ -0,0 +1,106 @@
define netif = enp0s3
define lanif = enp0s8
define dmzif = enp0s9
define netip = 192.168.0.130
define lanip = 172.16.0.254
define dmzip = 172.17.0.254
define lan-ntw = 172.16.0.1-172.16.0.254
define dmz-ntw = 172.17.0.1-172.17.0.254
define internal-dns-ip = 172.16.0.2
define dns-forwarder-ip = 10.121.38.7
table ip ipfilter{
#Chaines de filtrage
chain prerouting {
type filter hook prerouting priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp dport 22 accept
#Requêtes HTTP/HTTPS depuis LAN
tcp dport {80,443} iif $lanif accept
#Requêtes externe du serveur DNS
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
#Pings
icmp type echo-request iif $lanif accept
icmp type echo-reply iif {$lanif, $dmzif} accept
}
chain system_in {
type filter hook input priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp dport 22 accept
#Pings
icmp type echo-request iif $lanif accept
icmp type echo-reply accept
}
chain routing {
type filter hook forward priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#Requêtes HTTP/HTTPS depuis LAN
tcp dport {80,443} iif $lanif accept
#Requêtes externe du serveur DNS
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
#Pings
icmp type echo-request iif $lanif oif $dmzif accept
icmp type echo-reply iif $dmzif oif $lanif accept
}
chain system_out {
type filter hook output priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp sport 22 accept
#Proxy lycée
tcp dport 8080 accept
#DNS
udp dport 53 accept
#HTTP/HTTPS
tcp dport {80,443} accept
#FTP
tcp dport {20,21} accept
#Pings
icmp type echo-request accept
icmp type echo-reply oif $lanif accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
#Communication déjà établies
ct state established,related accept
#SSH
tcp sport 22 accept
#Proxy lycée
tcp dport 8080 accept
#DNS
udp dport 53 accept
#HTTP/HTTPS
tcp dport {80,443} accept
#FTP
tcp dport {20,21} accept
#Requêtes externe du serveur DNS
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
#Pings
icmp type echo-request oif {$lanif, $dmzif} accept
icmp type echo-reply oif $lanif accept
}
#Chaines pour la NAT
chain nat_prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain nat_postrouting {
type nat hook postrouting priority filter; policy accept;
#Masquage des IP de la LAN sortant sur Internet
ip saddr $lan-ntw oif $netif snat $netip
}
}

View File

@@ -0,0 +1,18 @@
#!/bin/bash
# Permet de vérifier si un message a été passé en argument
if [ -z "$1" ]; then
read -p "Erreur : Entrez un message : " $message
else
message=$1
fi
# Ajout des fichiers modifiés
git add .
# Commit avec le message
git commit -m "$message"
# Push vers le dépôt Gitea
git push -u https://yann.lereuille@gitea.lyc-lecastel.fr/yann.lereuille/siotp.git

View File

@@ -0,0 +1,6 @@
#!/bin/bash
ipfirewall=192.168.0.130
dir=/root/firewall
ruleset=current_ruleset.nft
scp $ruleset root@$ipfirewall:$dir/$ruleset
ssh root@$ipfirewall "bash $dir/refresh_firewall.sh"

78
sisr2/sisr-cyber/10-ids/Vagrantfile vendored Normal file
View File

@@ -0,0 +1,78 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "debian/bookworm64"
config.vm.hostname= "ids"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Disable the default share of the current code directory. Doing this
# provides improved isolation between the vagrant box and your host
# by making sure your Vagrantfile isn't accessible to the vagrant box.
# If you use this you may want to enable additional shared subfolders as
# shown above.
# config.vm.synced_folder ".", "/vagrant", disabled: true
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
# config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision "shell", inline: <<-SHELL
apt-get update
apt-get install -y rkhunter chkrootkit
SHELL
end

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,302 @@
###############################################################################
# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS 4.4.6
#
#
# NOTES: This config file provides you with some example command definitions
# that you can reference in host, service, and contact definitions.
#
# You don't need to keep commands in a separate file from your other
# object definitions. This has been done just to make things easier to
# understand.
#
###############################################################################
################################################################################
#
# SAMPLE NOTIFICATION COMMANDS
#
# These are some example notification commands. They may or may not work on
# your system without modification. As an example, some systems will require
# you to use "/usr/bin/mailx" instead of "/usr/bin/mail" in the commands below.
#
################################################################################
define command {
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
define command {
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
################################################################################
#
# SAMPLE HOST CHECK COMMANDS
#
################################################################################
# Removed in Debian because it conflicts with the command of the same name
# defined in ping.cfg, which is part of monitoring-plugins-basic.
#
## This command checks to see if a host is "alive" by pinging it
## The check must result in a 100% packet loss or 5 second (5000ms) round trip
## average time to produce a critical error.
## Note: Five ICMP echo packets are sent (determined by the '-p 5' argument)
#
#define command {
#
# command_name check-host-alive
# command_line $USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
#}
################################################################################
#
# SAMPLE SERVICE CHECK COMMANDS
#
# These are some example service check commands. They may or may not work on
# your system, as they must be modified for your plugins. See the HTML
# documentation on the plugins for examples of how to configure command definitions.
#
# NOTE: The following 'check_local_...' functions are designed to monitor
# various metrics on the host that Nagios is running on (i.e. this one).
################################################################################
define command {
command_name check_local_disk
command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
define command {
command_name check_local_load
command_line $USER1$/check_load -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_procs
command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
}
define command {
command_name check_local_users
command_line $USER1$/check_users -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_swap
command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_mrtgtraf
command_line $USER1$/check_mrtgtraf -F $ARG1$ -a $ARG2$ -w $ARG3$ -c $ARG4$ -e $ARG5$
}
################################################################################
# NOTE: The following 'check_...' commands are used to monitor services on
# both local and remote hosts.
################################################################################
# Removed in Debian because it conflicts with the command of the same of
# defined in ftp.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_ftp
# command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in hppjd.cfg, which is part of monitoring-plugins-standard.
#
#define command {
#
# command_name check_hpjd
# command_line $USER1$/check_hpjd -H $HOSTADDRESS$ $ARG1$
#}
define command {
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
# Removed in Debian because it conflicts with the command of the same of
# defined in http.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_http
# command_line $USER1$/check_http -I $HOSTADDRESS$ $ARG1$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in ssh.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_ssh
# command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in dhcp.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_dhcp
# command_line $USER1$/check_dhcp $ARG1$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in ping.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_ping
# command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in mail.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_pop
# command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in mail.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_imap
# command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in mail.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_smtp
# command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in tcp_ucp.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_tcp
# command_line $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in tcp_ucp.cfg, which is part of monitoring-plugins-basic.
#
#define command {
#
# command_name check_udp
# command_line $USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
#}
# Removed in Debian because it conflicts with the command of the same of
# defined in nt.cfg, which is part of monitoring-plugins-standard.
#
#define command {
# command_name check_nt
# command_line $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -v $ARG1$ $ARG2$
#}
################################################################################
#
# SAMPLE PERFORMANCE DATA COMMANDS
#
# These are sample performance data commands that can be used to send performance
# data output to two text files (one for hosts, another for services). If you
# plan on simply writing performance data out to a file, consider using the
# host_perfdata_file and service_perfdata_file options in the main config file.
#
################################################################################
define command {
command_name process-host-perfdata
command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/lib/nagios4/host-perfdata.out
}
define command {
command_name process-service-perfdata
command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios4/service-perfdata.out
}
define command {
command_name check_lin_load
command_line $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -T $ARG3$ -w $ARG4$ -c $ARG5$
}
#define command {
# command_nacheck_nt
# command_line $USER1$/check_nt -H $HOS $ARG2$
#}

View File

@@ -0,0 +1,51 @@
###############################################################################
# CONTACTS.CFG - SAMPLE CONTACT/CONTACTGROUP DEFINITIONS
#
#
# NOTES: This config file provides you with some example contact and contact
# group definitions that you can reference in host and service
# definitions.
#
# You don't need to keep these definitions in a separate file from your
# other object definitions. This has been done just to make things
# easier to understand.
#
###############################################################################
###############################################################################
#
# CONTACTS
#
###############################################################################
# Just one contact defined by default - the Nagios admin (that's you)
# This contact definition inherits a lot of default values from the
# 'generic-contact' template which is defined elsewhere.
define contact {
contact_name nagiosadmin ; Short name of user
use generic-contact ; Inherit default values from generic-contact template (defined above)
alias Nagios Admin ; Full name of user
email nagios@localhost ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
}
###############################################################################
#
# CONTACT GROUPS
#
###############################################################################
# We only have one contact in this simple configuration file, so there is
# no need to create more than one contact group.
define contactgroup {
contactgroup_name admins
alias Nagios Administrators
members nagiosadmin
}

View File

@@ -0,0 +1,22 @@
###############################################################################
#
# HOST GROUP DEFINITION
#
###############################################################################
# Define an optional hostgroup for Linux machines
define hostgroup {
hostgroup_name linux-servers ; The name of the hostgroup
alias Linux Servers ; Long name of the group
members localhost, srv1, gwsio ; Comma separated list of hosts that belong to this group
}
define hostgroup {
hostgroup_name windows-servers ; The name of the hostgroup
alias Windows Servers ; Long name of the group
members w10-srv ; Comma separated list of ho>
}

View File

@@ -0,0 +1,42 @@
###############################################################################
# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE
#
#
# NOTE: This config file is intended to serve as an *extremely* simple
# example of how you can create configuration entries to monitor
# the local (Linux) machine.
#
###############################################################################
###############################################################################
#
# HOST DEFINITION
#
###############################################################################
# Define a host for the local machine
define host {
use linux-server ; Name of host template to use
; This host definition will inherit all variables that are defined
; in (or inherited by) the linux-server host template definition.
host_name gwsio
alias gwsio
address 192.168.0.1
}
###############################################################################
#
# HOST GROUP DEFINITION
#
###############################################################################
# Define a service to check HTTP on the local machine.
# Disable notifications for this service by default, as not all users may have HTTP enabled.

View File

@@ -0,0 +1,159 @@
###############################################################################
# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE
#
#
# NOTE: This config file is intended to serve as an *extremely* simple
# example of how you can create configuration entries to monitor
# the local (Linux) machine.
#
###############################################################################
###############################################################################
#
# HOST DEFINITION
#
###############################################################################
# Define a host for the local machine
define host {
use linux-server ; Name of host template to use
; This host definition will inherit all variables that are defined
; in (or inherited by) the linux-server host template definition.
host_name localhost
alias localhost
address 127.0.0.1
}
###############################################################################
#
# HOST GROUP DEFINITION
#
###############################################################################
# Define an optional hostgroup for Linux machines
#define hostgroup {
#
# hostgroup_name linux-servers ; The name of the hostgroup
# alias Linux Servers ; Long name of the group
# members localhost ; Comma separated list of hosts that belong to this group
#}
###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################
# Define a service to "ping" the local machine
define service {
use local-service ; Name of service template to use
host_name localhost
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
# Define a service to check the disk space of the root partition
# on the local machine. Warning if < 20% free, critical if
# < 10% free space on partition.
define service {
use local-service ; Name of service template to use
host_name localhost
service_description Root Partition
check_command check_local_disk!20%!10%!/
}
# Define a service to check the number of currently logged in
# users on the local machine. Warning if > 20 users, critical
# if > 50 users.
define service {
use local-service ; Name of service template to use
host_name localhost
service_description Current Users
check_command check_local_users!20!50
}
# Define a service to check the number of currently running procs
# on the local machine. Warning if > 250 processes, critical if
# > 400 processes.
define service {
use local-service ; Name of service template to use
host_name localhost
service_description Total Processes
check_command check_local_procs!250!400!RSZDT
}
# Define a service to check the load on the local machine.
define service {
use local-service ; Name of service template to use
host_name localhost
service_description Current Load
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
}
# Define a service to check the swap usage the local machine.
# Critical if less than 10% of swap is free, warning if less than 20% is free
define service {
use local-service ; Name of service template to use
host_name localhost
service_description Swap Usage
check_command check_local_swap!20%!10%
}
# Define a service to check SSH on the local machine.
# Disable notifications for this service by default, as not all users may have SSH enabled.
define service {
use generic-service ; Name of service template to use
hostgroups linux-servers
service_description SSH
check_command check_ssh
notifications_enabled 0
}
# Define a service to check HTTP on the local machine.
# Disable notifications for this service by default, as not all users may have HTTP enabled.
define service {
use local-service ; Name of service template to use
host_name localhost
service_description HTTP
check_command check_http
notifications_enabled 0
}

View File

@@ -0,0 +1,82 @@
###############################################################################
# PRINTER.CFG - SAMPLE CONFIG FILE FOR MONITORING A NETWORK PRINTER
#
#
# NOTES: This config file assumes that you are using the sample configuration
# files that get installed with the Nagios quickstart guide.
#
###############################################################################
###############################################################################
#
# HOST DEFINITIONS
#
###############################################################################
# Define a host for the printer we'll be monitoring
# Change the host_name, alias, and address to fit your situation
define host {
use generic-printer ; Inherit default values from a template
host_name hplj2605dn ; The name we're giving to this printer
alias HP LaserJet 2605dn ; A longer name associated with the printer
address 192.168.1.30 ; IP address of the printer
hostgroups network-printers ; Host groups this printer is associated with
}
###############################################################################
#
# HOST GROUP DEFINITIONS
#
###############################################################################
# A hostgroup for network printers
define hostgroup {
hostgroup_name network-printers ; The name of the hostgroup
alias Network Printers ; Long name of the group
}
###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################
# Create a service for monitoring the status of the printer
# Change the host_name to match the name of the host you defined above
# If the printer has an SNMP community string other than "public",
# change the check_command directive to reflect that
define service {
use generic-service ; Inherit values from a template
host_name hplj2605dn ; The name of the host the service is associated with
service_description Printer Status ; The service description
check_command check_hpjd!-C public ; The command used to monitor the service
check_interval 10 ; Check the service every 10 minutes under normal conditions
retry_interval 1 ; Re-check the service every minute until its final/hard state is determined
}
# Create a service for "pinging" the printer occasionally.
# Useful for monitoring RTA, packet loss, etc.
define service {
use generic-service
host_name hplj2605dn
service_description PING
check_command check_ping!3000.0,80%!5000.0,100%
check_interval 10
retry_interval 1
}

View File

@@ -0,0 +1,9 @@
# service de supervision de Load Linux avec SNMP
# 3 valeurs : charge moyenne sur 1 min, 5 min, 15 min
define service{
use generic-service ;Use generic-service template
hostgroup_name linux-servers ; S'applique au groupe en question
service_description chk-lin-load ; Nom du service
check_command check_lin_load!public!--v2c!netsl!3,2,2!3,2,2 ; Command
# servicegroups ser-lin-base ;Service belong servicegroup
}

View File

@@ -0,0 +1,54 @@
###############################################################################
# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE
#
#
# NOTE: This config file is intended to serve as an *extremely* simple
# example of how you can create configuration entries to monitor
# the local (Linux) machine.
#
###############################################################################
###############################################################################
#
# HOST DEFINITION
#
###############################################################################
# Define a host for the local machine
define host {
use linux-server ; Name of host template to use
; This host definition will inherit all variables that are defined
; in (or inherited by) the linux-server host template definition.
host_name srv1
alias srv
address 192.168.0.46
}
###############################################################################
#
# HOST GROUP DEFINITION
#
###############################################################################
# Define an optional hostgroup for Linux machines
# Define a service to check HTTP on the local machine.
# Disable notifications for this service by default, as not all users may have HTTP enabled.
define service {
use generic-service ; Name of service template to use
host_name srv1
service_description HTTP
check_command check_http
notifications_enabled 0
}

View File

@@ -0,0 +1,99 @@
###############################################################################
# SWITCH.CFG - SAMPLE CONFIG FILE FOR MONITORING A SWITCH
#
#
# NOTES: This config file assumes that you are using the sample configuration
# files that get installed with the Nagios quickstart guide.
#
###############################################################################
###############################################################################
#
# HOST DEFINITIONS
#
###############################################################################
# Define the switch that we'll be monitoring
define host {
use generic-switch ; Inherit default values from a template
host_name linksys-srw224p ; The name we're giving to this switch
alias Linksys SRW224P Switch ; A longer name associated with the switch
address 192.168.1.253 ; IP address of the switch
hostgroups switches ; Host groups this switch is associated with
}
###############################################################################
#
# HOST GROUP DEFINITIONS
#
###############################################################################
# Create a new hostgroup for switches
define hostgroup {
hostgroup_name switches ; The name of the hostgroup
alias Network Switches ; Long name of the group
}
###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################
# Create a service to PING to switch
define service {
use generic-service ; Inherit values from a template
host_name linksys-srw224p ; The name of the host the service is associated with
service_description PING ; The service description
check_command check_ping!200.0,20%!600.0,60% ; The command used to monitor the service
check_interval 5 ; Check the service every 5 minutes under normal conditions
retry_interval 1 ; Re-check the service every minute until its final/hard state is determined
}
# Monitor uptime via SNMP
define service {
use generic-service ; Inherit values from a template
host_name linksys-srw224p
service_description Uptime
check_command check_snmp!-C public -o sysUpTime.0
}
# Monitor Port 1 status via SNMP
define service {
use generic-service ; Inherit values from a template
host_name linksys-srw224p
service_description Port 1 Link Status
check_command check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB
}
# Monitor bandwidth via MRTG logs
define service {
use generic-service ; Inherit values from a template
host_name linksys-srw224p
service_description Port 1 Bandwidth Usage
check_command check_local_mrtgtraf!/var/lib/mrtg/192.168.1.253_1.log!AVG!1000000,1000000!5000000,5000000!10
}

View File

@@ -0,0 +1,198 @@
###############################################################################
# TEMPLATES.CFG - SAMPLE OBJECT TEMPLATES
#
#
# NOTES: This config file provides you with some example object definition
# templates that are referred by other host, service, contact, etc.
# definitions in other config files.
#
# You don't need to keep these definitions in a separate file from your
# other object definitions. This has been done just to make things
# easier to understand.
#
###############################################################################
###############################################################################
#
# CONTACT TEMPLATES
#
###############################################################################
# Generic contact definition template
# This is NOT a real contact, just a template!
define contact {
name generic-contact ; The name of this contact template
service_notification_period 24x7 ; service notifications can be sent anytime
host_notification_period 24x7 ; host notifications can be sent anytime
service_notification_options w,u,c,r,f,s ; send notifications for all service states, flapping events, and scheduled downtime events
host_notification_options d,u,r,f,s ; send notifications for all host states, flapping events, and scheduled downtime events
service_notification_commands notify-service-by-email ; send service notifications via email
host_notification_commands notify-host-by-email ; send host notifications via email
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A REAL CONTACT, JUST A TEMPLATE!
}
###############################################################################
#
# HOST TEMPLATES
#
###############################################################################
# Generic host definition template
# This is NOT a real host, just a template!
define host {
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
notification_period 24x7 ; Send host notifications at any time
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}
# Linux host definition template
# This is NOT a real host, just a template!
define host {
name linux-server ; The name of this host template
use generic-host ; This template inherits other values from the generic-host template
check_period 24x7 ; By default, Linux hosts are checked round the clock
check_interval 5 ; Actively check the host every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute intervals
max_check_attempts 10 ; Check each Linux host 10 times (max)
check_command check-host-alive ; Default command to check Linux hosts
notification_period workhours ; Linux admins hate to be woken up, so we only notify during the day
; Note that the notification_period variable is being overridden from
; the value that is inherited from the generic-host template!
notification_interval 120 ; Resend notifications every 2 hours
notification_options d,u,r ; Only send notifications for specific host states
contact_groups admins ; Notifications get sent to the admins by default
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}
# Windows host definition template
# This is NOT a real host, just a template!
define host {
name windows-server ; The name of this host template
use generic-host ; Inherit default values from the generic-host template
check_period 24x7 ; By default, Windows servers are monitored round the clock
check_interval 5 ; Actively check the server every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute intervals
max_check_attempts 10 ; Check each server 10 times (max)
check_command check-host-alive ; Default command to check if servers are "alive"
notification_period 24x7 ; Send notification out at any time - day or night
notification_interval 30 ; Resend notifications every 30 minutes
notification_options d,r ; Only send notifications for specific host states
contact_groups admins ; Notifications get sent to the admins by default
hostgroups windows-servers ; Host groups that Windows servers should be a member of
register 0 ; DON'T REGISTER THIS - ITS JUST A TEMPLATE
}
# We define a generic printer template that can
# be used for most printers we monitor
define host {
name generic-printer ; The name of this host template
use generic-host ; Inherit default values from the generic-host template
check_period 24x7 ; By default, printers are monitored round the clock
check_interval 5 ; Actively check the printer every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute intervals
max_check_attempts 10 ; Check each printer 10 times (max)
check_command check-host-alive ; Default command to check if printers are "alive"
notification_period workhours ; Printers are only used during the workday
notification_interval 30 ; Resend notifications every 30 minutes
notification_options d,r ; Only send notifications for specific host states
contact_groups admins ; Notifications get sent to the admins by default
register 0 ; DON'T REGISTER THIS - ITS JUST A TEMPLATE
}
# Define a template for switches that we can reuse
define host {
name generic-switch ; The name of this host template
use generic-host ; Inherit default values from the generic-host template
check_period 24x7 ; By default, switches are monitored round the clock
check_interval 5 ; Switches are checked every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute intervals
max_check_attempts 10 ; Check each switch 10 times (max)
check_command check-host-alive ; Default command to check if routers are "alive"
notification_period 24x7 ; Send notifications at any time
notification_interval 30 ; Resend notifications every 30 minutes
notification_options d,r ; Only send notifications for specific host states
contact_groups admins ; Notifications get sent to the admins by default
register 0 ; DON'T REGISTER THIS - ITS JUST A TEMPLATE
}
###############################################################################
#
# SERVICE TEMPLATES
#
###############################################################################
# Generic service definition template
# This is NOT a real service, just a template!
define service {
name generic-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems)
obsess_over_service 1 ; We should obsess over this service (if necessary)
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
is_volatile 0 ; The service is not volatile
check_period 24x7 ; The service can be checked at any time of the day
max_check_attempts 3 ; Re-check the service up to 3 times in order to determine its final (hard) state
check_interval 10 ; Check the service every 10 minutes under normal conditions
retry_interval 2 ; Re-check the service every two minutes until a hard state can be determined
contact_groups admins ; Notifications get sent out to everyone in the 'admins' group
notification_options w,u,c,r ; Send notifications about warning, unknown, critical, and recovery events
notification_interval 60 ; Re-notify about service problems every hour
notification_period 24x7 ; Notifications can be sent out at any time
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}
# Local service definition template
# This is NOT a real service, just a template!
define service {
name local-service ; The name of this service template
use generic-service ; Inherit default values from the generic-service definition
max_check_attempts 4 ; Re-check the service up to 4 times in order to determine its final (hard) state
check_interval 5 ; Check the service every 5 minutes under normal conditions
retry_interval 1 ; Re-check the service every minute until a hard state can be determined
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}

View File

@@ -0,0 +1,112 @@
###############################################################################
# TIMEPERIODS.CFG - SAMPLE TIMEPERIOD DEFINITIONS
#
#
# NOTES: This config file provides you with some example timeperiod definitions
# that you can reference in host, service, contact, and dependency
# definitions.
#
# You don't need to keep timeperiods in a separate file from your other
# object definitions. This has been done just to make things easier to
# understand.
#
###############################################################################
###############################################################################
#
# TIMEPERIOD DEFINITIONS
#
###############################################################################
# This defines a timeperiod where all times are valid for checks,
# notifications, etc. The classic "24x7" support nightmare. :-)
define timeperiod {
name 24x7
timeperiod_name 24x7
alias 24 Hours A Day, 7 Days A Week
sunday 00:00-24:00
monday 00:00-24:00
tuesday 00:00-24:00
wednesday 00:00-24:00
thursday 00:00-24:00
friday 00:00-24:00
saturday 00:00-24:00
}
# This defines a timeperiod that is normal workhours for
# those of us monitoring networks and such in the U.S.
define timeperiod {
name workhours
timeperiod_name workhours
alias Normal Work Hours
monday 09:00-17:00
tuesday 09:00-17:00
wednesday 09:00-17:00
thursday 09:00-17:00
friday 09:00-17:00
}
# This defines the *perfect* check and notification
# timeperiod
define timeperiod {
name none
timeperiod_name none
alias No Time Is A Good Time
}
# Some U.S. holidays
# Note: The timeranges for each holiday are meant to *exclude* the holidays from being
# treated as a valid time for notifications, etc. You probably don't want your pager
# going off on New Year's. Although your employer might... :-)
define timeperiod {
name us-holidays
timeperiod_name us-holidays
alias U.S. Holidays
january 1 00:00-00:00 ; New Years
monday -1 may 00:00-00:00 ; Memorial Day (last Monday in May)
july 4 00:00-00:00 ; Independence Day
monday 1 september 00:00-00:00 ; Labor Day (first Monday in September)
thursday 4 november 00:00-00:00 ; Thanksgiving (4th Thursday in November)
december 25 00:00-00:00 ; Christmas
}
# This defines a modified "24x7" timeperiod that covers every day of the
# year, except for U.S. holidays (defined in the timeperiod above).
define timeperiod {
name 24x7_sans_holidays
timeperiod_name 24x7_sans_holidays
alias 24x7 Sans Holidays
use us-holidays ; Get holiday exceptions from other timeperiod
sunday 00:00-24:00
monday 00:00-24:00
tuesday 00:00-24:00
wednesday 00:00-24:00
thursday 00:00-24:00
friday 00:00-24:00
saturday 00:00-24:00
}

View File

@@ -0,0 +1,78 @@
###############################################################################
# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE
#
#
# NOTE: This config file is intended to serve as an *extremely* simple
# example of how you can create configuration entries to monitor
# the local (Linux) machine.
#
###############################################################################
###############################################################################
#
# HOST DEFINITION
#
###############################################################################
# Define a host for the local machine
define host {
use windows-server ; Name of host template to use
; This host definition will inherit all variables that are defined
; in (or inherited by) the linux-server host template definition.
host_name w10-srv
alias srv-win
address 192.168.0.40
}
###############################################################################
#
# HOST GROUP DEFINITION
#
###############################################################################
# Define an optional hostgroup for Linux machines
# Define a service to check HTTP on the local machine.
# Disable notifications for this service by default, as not all users may have HTTP enabled.
define service{
use generic-service
host_name w10-srv
service_description NSClient++ Version
check_command check_nt!CLIENTVERSION
}
#Add the following service definition to monitor the uptime of the Windows server.
define service{
use generic-service
host_name w10-srv
service_description Uptime
check_command check_nt!UPTIME
}
#Add the following service definition to monitor the CPU utilization on the Windows server and generate a CRITICAL alert if the 5-minute CPU load is 90% or more or a WARNING alert if the 5-minute load is 80% or greater.
define service{
use generic-service
host_name w10-srv
service_description CPU Load
check_command check_nt!CPULOAD!-l 5,80,90
}
#Add the following service definition to monitor memory usage on the Windows server and generate a CRITICAL alert if memory usage is 90% or more or a WARNING alert if memory usage is 80% or greater.
define service{
use generic-service
host_name w10-srv
service_description Memory Usage
check_command check_nt!MEMUSE!-w 80 -c 90
}

View File

@@ -0,0 +1,53 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Define front-end
frontend http-in
# listen on 80 port
bind *:80
# set default backend
default_backend backend_servers
# send X-Forwarded-For header (permet d'afficher la bonne adresse dont la requête provient et pas l'adresse du haproxy)
option forwardfor
# define backend
backend backend_servers
# balance with roundrobin
balance roundrobin
# option forward for
option forwardfor
# define backend servers
server node01 172.16.1.1:80 check
server node02 172.16.1.2:80 check

19
sisr2/sisr/20-LB/lvs.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# Installation du paquet ipvsadm
sudo apt update && sudo apt upgrade -y
sudo apt install ipvsadm
# Activer le routage
sysctl -w net.ipv4.ip_forward=1
# Création de cluster avec ipvsadm
ipvsadm -A -t 192.168.0.170:80 -s rr
# Ajout des serveurs backend
ipvsadm -a -t 192.168.0.170:80 -r 172.16.1.1:80 -m
ipvsadm -a -t 192.168.0.170:80 -r 172.16.1.2:80 -m
# Vérification du fonctionnement
ipvsadm